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Abstract 

We investigate the performance of a streamlined version of Shor's algorithm in which the quantum 
Fourier transform is replaced by a banded version that for each qubit retains only coupling to its 
b nearest neighbors. Defining the performance P(n, b) of the n-qubit algorithm for bandwidth b as 
the ratio of the success rates of Shor's algorithm equipped with the banded and the full bandwidth 
(b = n — 1) versions of the quantum Fourier transform, our numerical simulations show that 
P{n,b) ~ exp[— fmax( n y &)/100] for n < nt(b) (non-exponential regime) and P(n,b) ~ 2~£ f, ( n ~ 8 * ) 
for n > nt(b) (exponential regime), where nt(b), the location of the transition, is approximately 
given by n t (b) « b + 5.9 + ^7.7(6 + 2) - 47 for b > 8, yw(ra, b) = 2vr[2- fe - 1 (n - b - 2) + 2~% 
and & ~ 1.1 x 2 _2b . Analytically we obtain P(n,b) ps exp[— ^ aa ,(n, 6)/64] for n < n t (b) and 
P(n,b) ps 2-& )n for n > n t (b), where w jjg^J x 2 ~ 2b ~ L19 x 2_2& - Thus » our analytical 
results predict the ^ aj . scaling (n < n^) and the 2 -26 scaling (n > n t ) of the data perfectly. 
In addition, in the large-n regime, the prefactor in £^ is close to the results of our numerical 
simulations and, in the low-n regime, the numerical scaling factor in our analytical result is within 
a factor 2 of its numerical value. As an example we show that b = 8 is sufficient for factoring 
RSA-2048 with a 95% success rate. 



PACS numbers: 03.67.Lx 
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I. INTRODUCTION 



While the art of integer factoring lay dormant, literally for millennia, and not much 
progress beyond the crudest methods, such as trial division and looking for differences of 
squares, had been made [lj], the advent of the widely used RSA cryptosystem {2] has recently 
propelled the factoring of large integers from the arcane recesses of an ancient mathematical 
discipline into the lime light of contemporary physics and mathematics. The reason is that a 
powerful factoring algorithm may be used in a frontal attack on the RSA cryptosystem, and, 
if successful, immediately reveals untold scores of government, military, and financial secrets 



No wonder then, that the first substantial breakthrough in factoring in centuries, 
the quadratic number sieve [l, 5], occurred shortly after the initial publication of the RSA 
method 2]. Using the quadratic number sieve, RSA keys with up to 100 decimal digits can 
now routinely be cracked js] and are not safe any more. In 1993, the general number field 
sieve j3] added even more power to factoring attacks on RSA and was used successfully to 



factor the RSA challenge number RSA- 768 (232 decimal digits) [8J, which prompted the US 
National Institute of Standards and Technology (NIST) to recommend retirement of all RSA 
keys with 1024 binary digits or less 9J. However, no matter how powerful these modern 
factoring algorithms are, they are based on classical computing algorithms, executed on 
classical computers and without further improvements will never be able to crack an RSA 
key consisting of 5000 decimal digits or more (see Sec. lVIHl) . But not only classical computing 
profited from the advent of the RSA crypto-system, so did quantum computing [h]]. In 1994, 
Shor demonstrated that a certain quantum algorithm executed on a quantum computer is 
exponentially more powerful than any currently known classical factoring scheme and poses 
a real threat to RSA-encrypted data [11]. Since its inception in 1994, Shor's algorithm has 
maintained its status as the gold standard in quantum computing, and progress in quantum 
computer implementation is frequently measured in terms of the size of semiprimes that 
a given quantum computer can factor {12I ll^j ]. While, compared with classical factoring 
algorithms, Shor's algorithm is tremendously more powerful, it should not come as a surprise 
that in order to break currently employed RSA keys, an enormous number of quantum 
operations still need to be performed. Therefore, any advance in streamlining practical 
implementations of Shor's algorithm are welcome that result in reducing the number of 
required quantum operations. A central component of Shor's algorithm is a quantum Fourier 
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Transform 



10| and our paper focuses on how to perform this part of Shor's algorithm with 



the least number of quantum gates and gate operations that still guarantee acceptable 
performance of the algorithm. 

Our paper is organized in the following way. In Sec. [TT] we present Shor's algorithm. 
This section also serves to introduce the basic notation and explains the central position 
of the quantum Fourier transform in Shor's algorithm. While the original version of Shor's 



algorithm 



11] is formulated with the help of a full implementation of the quantum Fourier 



transform, it turns out that a reduced, approximate version of the quantum Fourier trans 



form, the banded quantum Fourier transform 



14 



16] , yields surprisingly good results when 



used in conjunction with Shor's algorithm. The banded quantum Fourier transform is in- 
troduced and discussed in Sec. IHIl In order to assess the influence of the banded quantum 
Fourier transform on the performance of Shor's algorithm, we need an objective performance 
measure. Our performance measure is defined in Sec. IIVI In Sec. |V] based on the perfor- 
mance measure defined in Sec. IIV[ we investigate numerically the performance of a quantum 
computer for various bandwidths b as a function of the number of qubits n. We find that for 
fixed b the quantum computer exhibits two qualitatively different regimes, exponential for 
large n and non-exponential for small n. We also find that relatively small b < 10 are already 
sufficient for excellent quantum computer performance, even for n so large as to be inter- 
esting for the factoring of semiprimes iV of practical interest. These numerical findings are 
then investigated analytically in Sec. IVII In Sec. IVI Al we show an important property of the 
performance measure, i.e. approximate separability, which allows us to analyze analytically 
the large-n behavior (Sec. IVI Bl) and the small-n behavior (Sec. IVI CI) of the numerical data 
presented in Sec. |V] In particular, we are able to predict analytically the scaling functions 
of the data in the large-n and small-n regimes. In Sec. IVHI we compare our work with the 
related pioneering work of Fowler and Hollenberg 15]. While the final results are similar, 



our approach differs substantially from the approach in 15]. Factoring actual semiprimes, 
our approach is more realistic than the approach taken in 15] and may serve to check the 
results reported in In addition, we report a host of new results. In Sec. I Villi we discuss 
our results and conclude the paper in Sec. IIX[ In order not to break the flow of exposition 
in the main text of our paper, some technical material is relegated to three appendices. In 
Appendix [A] we prove existence and uniqueness of an order-2 element for any semiprime 
N. In Appendix [B] we compute an analytical bound for the maximal possible order u of a 
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given semiprime N. In Appendix [Cj we provide an auxiliary result on the distribution of an 
inverse factor of u, needed for one of our analytical results reported in Sec. [V]] 



II. SHOR'S ALGORITHM 

Progress in quantum computing happens in fits and starts. Periods of stagnation and 
pessimism are followed by unexpected breakthroughs and optimism. Shor's algorithm is a 
case in point. Following a lull in quantum computing during which the only known quan- 
tum algorithms were of an "academic" nature, Shor's algorithm, the first "useful" quantum 
algorithm, instantly revived the field when it burst on the scene, quite unexpectedly, in 1994 



11] . Shor's algorithm is quantum mechanics' answer to a task that is hard or impossible 
to perform on any classical computer: factoring large semiprimes N . To accomplish this 
task, Shor's algorithm makes use of the entire palette of quantum effects that result in an 
exponential speed-up of the quantum algorithm with respect to any currently known clas- 
sical factoring algorithm: superposition, interference, and entanglement. Shor's algorithm 



is based on Miller's algorithm 17], a classical factoring algorithm. Miller's algorithm deter- 
mines the factors of a semiprime N = pq, where p ^ q are prime, according to the following 
procedure. First, we choose a positive integer 1 < x < N, called the seed, relatively prime to 
N, i.e. gcd(x, N) = 1, where gcd denotes the greatest common divisor. Then, we determine 
the smallest positive integer u, called the order of x, such that 

x" mod N = 1. (1) 

For Miller's algorithm to work, we require (i) that u is even and (ii) that (x^^ + l) mod N ^ 
0. Both conditions need to be fulfilled. If even one is not fulfilled, we need to choose another 
x and try again. There is a high probability that this will succeed after only a few trials 



10, ll5|, ll8( . Having found a seed x satisfying both conditions, we write ([I]) in the form 

[(x^ 2 - 1) (x^ 2 + 1)] mod N = 0, (2) 

which implies that N divides the product on the left-hand side of (J2J). This might be 
accomplished if N divides x w l 2 — 1, which implies x^l 2 mod N = 1. This, however, is 
impossible, because u/2 < u and u>, according to (PQ), is the smallest such exponent. Another 
hypothetical possibility is that N divides the second factor in (J2J). This, however, is excluded 
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according to condition (ii). The only remaining possibility is that p divides one of the factors 
in ([2]) and q divides the other. Appropriately naming the factors of N, we have 

p = gcd^ 2 — 1, N), q = gcd(x w/2 + 1, N), (3) 

and the factoring problem is solved. So, if Miller's classical algorithm does the job, why do 
we need Shor's quantum algorithm? The answer is that finding the order wona classical 
computer is an algorithmically hard problem that, for a generic seed x, is impossible to 
perform on a classical computer within a reasonable execution time for semiprimes iV with 
more than 5000 digits (see Sec. IVIIII) . This is where Shor's algorithm comes in. Using 
a quantum Fourier transform to find the order u, Shor's algorithm makes order-finding 
tractable on a quantum computer. This is how it works. 
First, we define the function 

f(k) = x k mod N, (4) 

where k is an integer with k > 0. Since f(k + u) = f(k), the function / turns order finding 
into period finding. Since periods may be found by a Fourier transform, the central idea of 
Shor's algorithm is to use a quantum Fourier transform to determine u. To implement this 



idea 
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11 



17 



we work with a quantum computer consisting of two quantum registers, 
register I and register II. We assume that both registers consist of n qubits. In order to 
reliably determine u for given N, care must be taken to choose n at least twice as large as 
the number of binary digits of N [lo|, [isl . We strictly observe this requirement in Sec. IVl 
[see (164"]) ]. where we present our numerical work. We start by initializing both registers to 
such that the initial state of the quantum computer is 



|V> = |0,...,0)i|0,...,0)jj. (5) 

Next, we initialize register / with a superposition of all integers from to 2 n — 1 by applying 
a single-qubit Hadamard transform 10j to each of the n qubits of register J, resulting in the 

state 

2™-l 

W = nm £ l*>/|o,...,o>//, (6) 

where we introduced an intuitive equivalence, whereby an integer k > is mapped onto the 
n qubits of a register according to the binary digits of k. Now, we make use of the function / 
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defined in fl4]) to fill register II with the /-images of register I. This results in the computer 
state 

iv>) = 4^ E 1% !/(*)>"• (7) 

This step entangles registers I and //. The function / induces equivalence classes 

M = {s + kco, < k < K(s ) - 1} (8) 

on {0, . . . , 2 n — 1} with representatives < sq < oj — 1, where -K"(so) is the smallest integer 
with so + K{sq)uj > 2 n . In other words, K(sq) is the number of elements in the equivalence 
class [sq]. Since the range of s values is 2 n and the spacing is u, we obtain, approximately, 

on 

K(s ) « -. (9) 

Because of the periodicity of /, each member of [s ] is mapped onto f(s ). Therefore, if 
a measurement of register II collapses this register into the state |/(s ))//, the quantum 
computer is in the state 

1 K{s )-1 

|V> 4 > = -== E l*o + M/l/(*o))n. (10) 
We may now apply a quantum Fourier transform 

2 n -l 

/On 
v fc,Z=0 

to register J of \ipi) to obtain 

K(s )-I2 n -1 

|^)= j=== £ E exp[27rz/( So + M/2 n ]|0/|/(so))//. (12) 
V^( s o)2" fe=0 z=0 

A measurement of register / then collapses \ipf) into |Z) with probability 

K-l 



2 n -l 

jj(qft) = J_ ^ \l) exp(2mlk/2 n ) (k\ (11) 



P(n, I, u) 



E exp(2mlkuj/2 r 



2 n K 
sin 2 (KttloI/ 2 



k=0 

,2/ 



(13) 



2 n fs:sin 2 (7ru;Z/2 n )' 

where here and in the following we suppressed the argument s of K. Apparently, P(n, Z, u;) 
is sharply peaked at I values for which ul/2 n is close to an integer. As a consequence, these 
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/ values will appear as a result of measurement with a high probability. Subsequent analysis 
of the measured peak location on a classical computer then reveals the factors of N with 



high probability 



101 ]. This step is called classical post processing 
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18|. Equation (JT5D 



is the starting point of our analysis of the performance of Shor's algorithm with a banded 
quantum Fourier transform in Sec. IIVI 

Several experimental demonstrations of Shor's algorithm have been published 
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131, 



19l-|2l|. Since it is exceedingly difficult to experimentally control more than a handful of 



qubits, the numbers iV factored in these experiments are very small, currently not exceeding 
N — 21 [ljj. Therefore, reaching higher N is facilitated by reducing the requirements 
to run Shor's algorithm on a quantum computer. One such optimization is the use of 



an approximate, banded quantum Fourier transform [14| instead of the the full quantum 
Fourier transform (ITTj) . Further optimization is possible by using a banded version of the 
semi-classical quantum Fourier transform 22] defined in the following section. 



III. BANDED QUANTUM FOURIER TRANSFORM 

A direct circuit implementation of the Fourier transform defined in (ITTj) requires n(n+l)/2 
two-qubit quantum gates [h]]. In 22], it was shown that, when followed by measurements, 
as required by Shor's algorithm, an equivalent quantum circuit, consisting exclusively of 
single-qubit gates, is exactly equivalent to the two-qubit realization of the quantum Fourier 
transform. Figure [1] (a) illustrates this single-qubit realization of the quantum Fourier 
transform for the special case of five qubits (we classify the conditional rotation gates 9 in 
Fig. [1] as single-qubit gates since they are controlled by classical input and act coherently 
only on a single qubit). This circuit still requires ~ n 2 gate operations, but since they are 
performed by single-qubit gates, experimental implementation of this single-qubit circuit 
is considerably simpler. In contrast to the full two-qubit implementation of the quantum 
Fourier transform, where the measurements may occur simultaneously at the end of the 
quantum computation, the measurements in the single-qubit version of the quantum Fourier 
transform [denoted by the M gates in Fig. [1] (a)] occur sequentially and their (classical) 
measurement results are used to control the phase rotation gates 9. As first pointed out 



by Coppersmith 



14(, even this quantum circuit may still be optimized by working with an 



approximate, banded quantum Fourier transform as illustrated in Fig. [TJ (b). 
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FIG. 1: Logic circuit of a five-qubit implementation of the single-qubit realization of the quantum 
Fourier transform 



221 ] . (a) Full implementation (bandwidth 6 = 4); (b) truncated implementa- 
tion (bandwidth 6=1). H, 0, and M denote Hadamard, single-qubit conditional rotation, and 
measurement gates, respectively. 

The banded quantum Fourier transform U\ [see Fig. [1] (b)] is obtained from the full 
implementation of the single-qubit quantum Fourier transform [see Fig. [I] (a)] by retaining 



only the coupling to b nearest neighbors of a given qubit. As illustrated in Fig. [T] (b) 



case 6 = 1, this results in a banded structure of the corresponding quantum circuit [16j. The 



'or the 



name is also justified on theoretical grounds since the unitary matrix representing the circuit 
shown in Fig. [1] (b) has a banded structure 23(. The banded quantum Fourier transform of 
bandwidth b is the basis of our work presented in the following sections. 



IV. PERFORMANCE MEASURE 



The key idea of Shor's algorithm is to use superposition and entanglement to steer the 
quantum probability into qubits that correspond to numbers encoded in binary form, which 
will then, as a result of classical post-processing, reveal the factors of N. Our first task, 
therefore, is to locate the useful peaks after the quantum Fourier transform is performed. 
In order to define our performance measure, we are interested in how sharp these peaks are 



S 



in I. For this purpose, we notice that P(n, /, u) [see (|T3|) ] (up to a factor) is of the form 

m = (14) 

sin [z) 

where K is a large integer, z is a real number, and f(z) is sharply peaked at integer multiples 
of 7r. Since the shape of f(z) is the same for z in the vicinity of each peak, it suffices to 
investigate the peak at z = to determine the width of all the other peaks of f(z). We 
define the half width Az of f(z) by requiring 

/(A*) = \ (15) 

Inspired by a second-order Taylor-series expansion of (fl5|) . we obtain the heuristic formula 

I- 39 

, (16) 
which, for K > 10, satisfies (|T5|) to better than 10~ 3 . Applied to P(n,l,u) in (fT3|) . we have 

™ Z (17) 



2 n ' 



and, therefore, 



from which we obtain 



Tiui . , 1.39 

Az = —A/ w — - , 18 

2 n 



A^ ~ ( —77 ) ( — ) ~ 0.44, (19) 



uK 



71 



where we used ([9]). This result shows that the full width at half maximum of the /-peaks is 
only about one state and that this width is "universal" in the sense that it is independent 
of K, u, and n. 

Since a peak in P(n,l,u) occurs whenever ul/2 n is close to an integer, we define the 
/-integer closest to peak number j according to: 

*i=( — h' + &> J = 0,l,...,w-1, (20) 

where /3j, a rational number, ranges between —1/2 and 1/2. Since the peaks in P(n,l,u) 
are universal in the above sense and contain basically only a single state, namely lj defined 
in ( 120|) . we use 

P(n,lj,u) = Pj(n,oj) (21) 
as the basis for our performance measure. 



0.025 



0.02 



0.015 



0.01 



0.005 - 




9098 9100 9102 9104 9106 
1 



FIG. 2: Shape of a Fourier peak in I as a function of 6 for the semiprime N = 247 and order 
oj = 36. Shown are the peaks for different bandwidths 6=1 (solid), 6 = 2 (long-dashed), 6 = 3 
(short-dashed), and 6 = 10 (dotted). The vertical solid line is located at I = 9101.5 . 

Although the width of the peaks of P(n,l,oo) is narrow, according to ( 1191) of the order 
of a single state, and although carries most of the probability in peak number j of 
P(n, l,u) (approximately 77% on average), there are nevertheless several states |Z) inside of 
peak number j that occur with a small but still appreciable probability in a measurement 
of \ipf) in f fl2|) . These states are also useful for factoring during classical post-processing 



see Sec. [TT] and [10|, Il8j). and the question arises if these states should be included in the 



performance measure. Indeed, instead of determining the performance of Shor's algorithm 
on the basis of the single state \lj), Fowler and Hollenberg 15[, e.g., base their performance 
measure on the two closest states to the peaks in P(n, We found that including more 
states in the performance measure is not necessary, since the width of the Fourier peaks 
in / is independent of the bandwidth b. At first glance this is surprising, since intuitively, 
we would think that the quality of the quantum Fourier transform should deteriorate with 
decreasing bandwidth b, possibly accompanied by a broadening of the Fourier peaks in I. 
That this is not so, and that the widths of the Fourier peaks are indeed independent of b, is 
demonstrated in Fig. [2]for the case N = 247 for b = 1,2, 3, 10. Independent of b, the vertical 
line in the figure cuts each Fourier peak at approximately its midpoint, thus demonstrating 
that the widths of the Fourier peaks in I are indeed independent of b. Thus, upon a change 
in b, all I states under a Fourier peak respond in unison to the change in b. Therefore, a 
single I state, such as lj, is an excellent representative of all the I states in its immediate 
vicinity. 
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Defining Pj(n,b,u) = P(n,lj,b,u) as the probability of obtaining \lj) in a measurement 
of \ipf) if instead of the full quantum Fourier transform f fTTj) the banded quantum Fourier 
transform (see Sec. IIIII) is used and taking into account that the widths of the peaks in 
Pj{n, b, u) do not change as b is varied, we use the ratio of the total probability of collapse 
into one of the states \lj), given the bandwidth b, to that of the full bandwidth b — n — 1, to 
capture the overall probability of obtaining the useful |/) states in the vicinity of Thus, 
the normalized ratio is of the form 

P(n, b, u) = P{n, b, w)/P(n, b = n - 1, u), (22) 

where 

P(n, b,oo) = Y^ Pj (n, b, u) (23) 

3=0 

and P(n, b — n — 1, ui) is the probability of collapsing into any one of the set of useful states 
\lj) as a result of measuring \ipf) , where \tpf) is generated from by application of the 
full quantum Fourier transform JJ^ FT ^ defined in (lllj) . We use P(n,b,u), defined in (122H . 
as our performance measure throughout this paper. 

Next, we derive an analytical expression for Pj(n, b, u), valid for any bandwidth < b < 
n — 1, that can be used in our performance measure (|22|) . In order to find Pj(n, b, u) we need 
to descend to the qubit-by-qubit level, since the bandwidth b in uj^ FT ^ refers to inter-qubit 
spacing on the qubit level in the circuit diagram of JJ^ FT ^ [see Fig. [1] (b)]. We start with a 
representation of the quantum Fourier transform in bit-notation 



z 1=0 
1 n-l 1 

—= ] [ e 2m{ - s ^ m -^- s ^-^ |Z [n _ m _i]), (24) 

m=0 l [n _ m _ 1]= 

where S[ u ](l[ u ]) indicates the uth binary digit of s (vth binary digit of I) and 

(.s w s [m _i] . . . s [0] ) = ^M 2 ~ (m "" +1) - ( 25 ) 

is=0 

For bandwidth b, U^ FT ^\s) then becomes 

n-l 1 

U^ FT ^\s) — Y\ e 27ri [(- s [m]S[ m _i]...s[o])-(-oo...os [m _ b „ 1] ...s [0] )]Z[ n _ m _ 1] |/j n _ m _ 1 ^ (26) 

m=0i [n _ m _ 1]= 
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We may also write 



2 W -1 



^| S > = 5>MI0, 



1=0 



where 



and 



1 f n_1 

B(s,Z) = -/^ ex P ) 2ni E [ A ™.o(s) - A mife+ i(s)]/[ n _ m _i] 



m=0 



Am,A(s) = (-00. . .0S[ m _A]S[ m -A-l] • • -S[0]) : 

i.e. A zeros are following the binary point. Defining 



n-l 



S\(s,l) = A m) A(s)i[ n _ m _i], 

m=0 

we may express B(s,l) in the form 

s ( s '0 = 2^?2 exp { 2 t*[So(s, - >Vi(s,/)]}. 
Sorting indices, S\(s,l) may be written in the form 

1 n— 1 m—X j 

a f n — 1 g ["- m - 1 rM 
<W, (J - ^ 2^ 2^ • 

m=A /x=0 



(27) 



(28) 



(29) 



(30) 



(31) 



(32) 



We are now ready to apply the banded quantum Fourier transform to register / of the 
initial state |^j)[see (fit)]) ] and obtain with (1271) and (I3T]) 



ZV A:=0 
K-X2 n -l 



fc=0 Z=0 
A'-l 2 n -l 



== E E exp {^"[-SbCsfc,/) - S b+1 (s k ,l)]}\l). 



V2"K 



(33) 



From this we obtain 

Pj(n, b, uj) 



k=0 1=0 



K-l 



2 n K 



^2 exp {2iri[S (s k ,l j ) - Sb+iis^lj))} 



k=0 



(34) 



which, using the expanded form 0321) of S, can be written in the form 



Pj(n, b, u) 



2 n K 



K-l 
k=0 



} i[$(n,s k> lj)-<p(n,b,s k ,lj)] 



(35) 
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where 

n— 1 m , 

*(»,., I) = E^iS^ ( 36 ) 

m=0 /j=0 

and 

71— 1 m— 6— 1 



^ [n— m— 1] '[/i] 

m=b+l /i=0 



2 n— l- m 2 — ^ 



2 m— A 4 

While $ in fl36|) is already in a form useful for numerical calculations, we now derive an 
expression for exp (2$) , which is more convenient for the analytical calculations in Sec. IVIl 
We start by summing (l36l) in reverse order over m (n — m — 1 — > m) to obtain: 

n— 1 n— m— 1 

•(*,.,« =*e E 

m=0 /i=0 

Ti—l n— m— 1 

= ^lE 2ms H E 2M/ M- (38) 

771=0 /J=0 

If we extend the // sum in (138 p to include terms ranging from /x = n—m to /i = n— 1, we notice 
that these extra terms generate even multiples of 2ir in f[3"8j) . Therefore, when computing 
exp we can safely extend the \x sum to \i — n— 1, since the extra terms, generating even 
multiples of 27ri in the argument of the exponential function, do not contribute to exp («$). 
Therefore, we obtain: 

(71—1 71— 1 \ 

^tE^nE 2 ^] • ( 39 ) 
m=0 ^=0 



Using the fact that 



n-l 



2 ms M = s mod 2", (40) 

m=0 

and similarly for I, we obtain 

exp [i$(n, s, Z)] = exp j — [(s mod 2 n ) (/ mod 2 n )] L (41) 
The factor 27ri/2 n in the exponent induces a modulo operation and we may also write 

exp [z$(n, s, 0] =exp|^[(smod2")(/mod2 n )] mod2 n |. (42) 
Using the formula 

[(A mod M)(B mod M)] mod M = (A • 5) mod M (43) 
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of elementary modular arithmetic, we may write (jJ2J) in the form: 

'2m 



exp s, I)} = exp 

Now, we use (120]) and (JHJ) with s = to obtain: 
exp Sfc, = exp 



• I) mod 2 n 



(44) 



27T? 

— (kTj+kufr) mod 2" 



(45) 



The first term in parentheses contributes nothing to (145]) , since it is an integer and together 
with the prefactor in the exponent of (|45p . amounts to an even multiple of 2ni. Therefore, 
TBI) reduces to 



2ni 



{kujfy) mod T 



(46) 



exp [i<&(n, Sfc, /,•)] = exp 

Since Axu < 2 n and \(3j\ < |, we have < 2 n . Therefore, the modulo operation in (T46 

is not needed any more and we obtain 



exp [z$(n, s fe , Zj)] = exp 



2tu 



2" 



(47) 



Thus we obtained a closed-form, analytical expression for exp(i$). 

Although [because of the presence of ip(n, b, Sk, lj) in (135]) ] not useful for the exact evalu- 
ation of ( 135]) . a well-justified approximation performed in Sec. IVII allows us to compute 

K-l 

Q(n, lj, oS) = exp [i$(n, Sk, lj)] (48) 



k=0 



separately. Using the formula for computing geometric sums, we obtain: 



K-l 



Q{n,lj,u) = ^[exp {2muj^/2 n )} 1 

k=0 

1 - exp (2Triu/3jK/2 n 



1 - exp (2iriujl3 j /2 n ) 



(49) 



With © we obtain 



fl(n, lj, lj) 



1 — exp (27riPj 



1 - exp (2m(5jUj/2 n ) 
Since ip(n, b — n — 1, s, I) — 0, we note in passing that 

1 



gi^sin^; 



(50) 



Pj{n, b = n — 1, u>) 



2 n K 



|0(n, lj, io)\ . 



(51) 
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We also need an analytical expression for the maximum value (p m ax{n,b) of tp(n,b, Sf.,lj), 
defined as 

¥max(n,b) = max(p(n,b,s k ,lj). (52) 

k,j 

From (1371) it is clear that ip ma x is obtained by setting all S[ n _ m _i] and values equal to 1. 
This procedure yields 

n—1 m—b—l j 

<Pmax(n,b) =7T £ ^? ( 53 ) 

m=fe+l ^=0 

Only the formula for evaluating geometric sums is needed to compute the value of ^p max i n 
(|53j). We obtain 

y max {n, b) = 2Ti[2- b -\n - b) - 2~ b + 2~ n ]. (54) 

We now show that a quantum computer performs perfectly, no matter what b is, if u is a 
power of 2, i.e., 

P(n, b,u) = l, for w = 2 a , a>0 integer. (55) 

For such an u, we notice that (i) the nth binary digit of any lj is zero for k < n — a since 
according to ( 120]) 

lj=2 n ~ a j, j = 0,1,..., a; -1 (56) 

is already integer, which implies (3j = 0, and (ii) the tth binary digit of any equivalence class 
element in [s ] [see flE])] for < i < a is identical to that of so- Thus, we write (p(n, b, s, I) in 
( 137|) in the form 

(n— 1 m— b— 1 i B-Q+i m-i-1 7 

E E E E S± ^F ] 

m=n— a+b+1 fi=0 m=b+l /i=0 

0, ifa<6 + l, 

(57) 

" Z^m=n-a+6+l Z^/j=n-a 2 m ~M > n u / u t 

where the second equality was obtained by using (i). Now, we observe that the n — m — 1th 
digit of s is bounded between and a — b — 2 inclusively. Then, using (ii), we obtain 

n— 1 m—b—l i \ /t \ 

m=n— /_i=n— a 

n—1 m—b—l / \ /< \ 

EV^ { S 0)[n-m-l]{l'j)[ii] 

m=n— a+b+1 fi=n—a 

= <Pj, (58) 
15 




FIG. 3: Probability P(n, b = 1,oj = 6) as a function of n for 14 different semiprimes N with seeds 
chosen such that uj = 6. As expected, the data clearly asymptotes to the value 1/3. 

where (f>j is a constant for any Sk and a given Zj. Inserting (|58|) in (|35|) . Pj(n,b,u) becomes 



P,(n, 6, w) 



2"^ 
1 

2™^ 
1 



K-l 
fc=0 



[$(n,s fc J 3 )-(p J ] 



A'-l 



k=0 



2 n K 



Q(n, lj, uj) 



Pj(n, b = n — 1, uj), 



(59) 



where we used (USD and (I5IH. With ([23]) and (EHD we obtain 



LJ-l 



P(n, b, uj) = Pj(n, b — n — 1, uj) — P(n, b = n — 1, ui). 

j=0 



(60) 



Therefore, with (T221 . the normalized probability (the performance measure) P(n,b,u) reads 

(61) 



P(n,b,uj) = - = 1, 



P(n, b = n — 1, ui) 
which completes the proof. 

Since ui = 2 always exists (see Appendix |A]) , this is an important observation, since the 
corresponding quantum computer works perfectly in this case for any n and any b. The trick, 
of course, is to find the seed x that yields x 2 mod N — 1. This, however, is an unsolved 
problem for large N. 

If u is not a power of 2, we write it in the form 



uj = r2 a , r, a integer, 



(62) 
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where r is odd. For such an u, according to (120]) . we may write lj as 

—Jj + fij. (63) 

Therefore, if j is a multiple of r, we have (3j = and Pj(n,b,u) = 1/u, which is proved by 
following the corresponding steps for the case where a; is a power of 2. This means that the 
contribution of these j values to P(n,b,u) is 1/r. This is a constant contribution, which 
does not depend on either n or b. Therefore, if for large n the contributions to P(n, b, u) 
tend to zero for the lj peaks for which j is not a multiple of r, we expect P(n,b,u>) to 
approach 1/r for large n. This is demonstrated in Fig. [3j which shows P(n,b = l,u = 6) 
as a function of n. Since in this case oj = 3 x 2 1 , we expect P(n, 6 = 1, a; = 6) to approach 
1/3, which is clearly confirmed in Fig. |3j 

V. NUMERICAL RESULTS 

In this section we explore, numerically, the performance of Shor's algorithm supplied 
with a banded quantum Fourier transform of bandwidth b. The performance is measured 
objectively with the help of the quantitative performance measure P(n, b, u) defined in ( l22l ). 



In contrast to a similar investigation by Fowler and Hollenberg 15], who use an effective u 
for the investigation of the performance of the banded Shor algorithm, we opted for a more 
realistic simulation of the performance of Shor's algorithm using ensembles of semiprimes 
iV together with their exact associated orders u>. Thus, our procedure for computing the 
performance measure is as follows. For given n we choose an ensemble of semiprimes N = pq 
such that 

n= L21og 2 (iV) + lJ, (64) 



where |_. . .J is the floor function 24j. This ensures that n is at least twice as large as the 
number of binary di gits of N, as required to reliably determine the order u with an n-qubit 
quantum computer |18|, |25j, [26]. For each iV we compute its set of orders {cox, . . . , a; (jy)}, 



where a(N) is the number of orders for given N. We also define the multiplicity of a 
given order u as the number v(uj) of seeds x of order uj. Thus equipped, we compute the 
performance PAr(n, b) as the properly weighted average 

a(N) 

P N (n,b)= y^viu^Pin^Uj), (65) 
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0.01 



0.992 



0.983 




FIG. 4: Normalized probability P, represented by the properly averaged performance measure f)65|) . 
for successful factorization of sample semiprimes N of binary length log 2 (N) ~ n/2 as a function 
of n for several bandwidths 6, ranging from 6 = 1 to 6 = 8. (a) b = 1 (triangles), 6 = 2 (stars), 
6 = 3 (diamonds), and 6 = 4 (squares), (b) 6 = 5 (triangles), 6 = 6 (stars), 6 = 7 (diamonds), 
and 6 = 8 (squares) . The solid lines through the data points are the fit functions ([66]) . Notice the 
visual similarity of (a) and (b), which illustrates the exponential scaling of £t in 6. 



where P(n,b,u) is defied in ( 122]) and (Pe(N) is Euler's totient function 27]. 

In Fig. H] (a) we show P/v(n, b) for various choices of N for b = 1, . . . , 4 and n ranging 
from n = 9 to n = 33. Plot symbols correspond to particular iV values and there are up to 7 
semiprimes iV per n. Overall we see that the data exhibit exponential behavior on average, 
which is well represented by the fit lines 



P>(n,b) = 2-Z bin ~ 8 \ 6 = 1.1x2" 



■2b 



(66) 



drawn through the data points. In Sec. I VI Bl we present an analytical model that explains the 
6-scaling of ( 166]) and in addition reproduces the pre-factor in (166]) within 10%. Figure H] (b) 
shows corresponding data for b = 5, . . . , 8. Again, the data points behave exponentially 
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FIG. 5: Small-n behavior of 1 — P [see (|65p ] for several sample semiprimes N (plot symbols) with 
proper average over {uj(N)}. The bandwidth 6 ranges from 6 = 1 to 6 = 8. (a) b = 1 (triangles), 
6 = 2 (stars), 6 = 3 (diamonds), and 6 = 4 (squares), (b) 6 = 5 (triangles), 6 = 6 (stars), 6 = 7 
(diamonds), and 6 = 8 (squares). The solid lines are the non-exponential fit functions (|67|) . The 
dashed lines are the fit functions (|66p . The cross-over points between the small-n, non-exponential 
behavior and the large-n, exponential behavior [i.e. the intersections of (|66p and (|67p ] are marked 
by arrows. 

and are well approximated by the fit lines denned in fl66|) . This illustrates that the b and n 
scaling in f )66|) holds over a considerable range of b and n values. 

While on the large scale of Fig. H] the data show an exponential behavior, looking more 
closely at the small-n regime, we see definite deviations from exponential behavior. Plotting 
1 — P(n, b) magnifies the P(n, b) behavior in the small-n region and clearly brings out the 
deviations from exponential behavior. This is illustrated in Fig. [5j which shows the data of 
Fig. HI plotted as 1 — P(n, b). The dashed lines in Fig. [5] are the exponential fit lines defined 
in (I66p . We see that even on this magnified scale and in the large-n regime the data are well 
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represented by the exponentials (|66|) . For small n, however, the data clearly deviate from 
exponential, but are well fit by the solid lines representing the function [16] 

P < (n,b) = P < (n,b)/f, (67) 



where 



and 



/ = !l^) d/J „ 0.774 (68) 

-1/2 



(tt/3)2 



P<(n,b) = (~) + (l - (-)) (f^H) exp [-^L>,6)/100], (69) 

where if max is given in ( )54j) . r is defined in ([62]), and (±) = 2-(™- 8 )/ 2 - 6 (see Appendix EJ). 
Based on our numerical evidence, we conclude that P(n, b) shows a clear transition from non- 
exponential behavior for small n to exponential behavior for large n. The arrows in Fig. [5] 
point to the locations of the transition between the two regimes and are the intersection 
points between the functions defined in ( 166]) and (167]) . 

Combining expressions (166]) and (1ST]) , we derive an analytical expression, n t (b), for the 
transition points between the two different regimes for given b. The transition points n t are 
defined as the n- value at which ( 166]) equals ( 1671) . A useful analytical formula, approximately 
valid for b > 8, is obtained in the following way. For b > 8, we noticed numerically that the 
1/r terms in (169]) may be neglected, resulting only in a small shift of n t of about 2 units in 
n. Therefore, to lowest order, P<(nt,6) = P>(n t ,6) results in 



100 

which implies 



61n(2)(n t -8), (70) 



1.1 x 2- 2b ln {2){n t - 8) = ^ ^^(n* - & - 2) + 2-*] 2 . (71) 

At this point we notice that the transitions n t between the two regimes occur at n values 
for which 

2 -n t < 2 -6 ; ( ?2 ) 

which implies that we can safely neglect the 2 _n * term in (I7T]) . This turns (ITT]) into the 
quadratic equation 

n 2 t -2n t (C + b + 2) + 16C+(b + 2) 2 = 0, (73) 
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FIG. 6: Small-n behavior of semiprimes N for b = 10 (squares), b = 15 (crosses), and b = 20 
(bullets). The full lines are the non-exponential performance functions P < {n,b) [see (|67p ]. The 
dashed lines are the corresponding large-n, exponential fit functions (|66p . 

where we defined 

c = 5^£>. (74) 

7T 

Solving ( 173]) yields 

n t = 6 + 5.9 + ^7.7(6 + 2) - 47. (75) 

The expression (1751) for the transition points shows that the onset of exponential behavior is 
shifted toward larger n for larger b. Formula (1751) for the transition points n 4 (6) is useful for 
extrapolating into the practically relevant qubit regime n > 4000, where classical computers 
cannot follow any more. In this classically inaccessible regime, we can then decide on the 
basis of ( 1751) . e.g., whether for given b and very large n, formula (1661) or formula ( 1671) should 
be used to predict the performance of the quantum computer. For b = 1, . . . , 4, as shown in 
Fig. [5] (a), the transition is poorly defined, whereas, as shown in Fig. [5] (b), the transition 
is progressively better defined as b increases. That this trend continues is shown in Fig. [6l 
which shows data for b = 10, 15, and 20. We also see that the quality of the fit of the data 
with (IBTl) improves for increasing b. The sharp cut-off displayed by P < (n,b) in Fig. [HI at 
n — 11 (b = 10), n — 16 (b — 15), and n = 22 (b = 20) is also understood since, according 
to ((54]), ¥max(n, b) = for n = b + 1. 
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VI. ANALYTICAL RESULTS 



Our analytical investigation of the performance measure starts with (I35|) . Analytically 
and numerically we found that $(n, 8%, lj) is a slow function of k, whereas (p(n, b, Sk, lj) is a 
fast, erratic function of k. Therefore, we can write approximately, 

2 



Pj(n, b, uj) 



1 



2 n K 
1 



r K-l 

E 

fc=0 



,i$(n,s k ,lj) 



(76) 



where Q(n,lj,u) is defined in fHHj) and 



k-i 



-iip(n,b,s k ,lj) 



(77) 



fc=0 



With 022]), ([23]), and (ED we now obtain 



P(n, b, u) 



b.l, 



U)-l 



(78) 



We now proceed with a slightly less but still extremely accurate approximation by separating 
f8\i in j, which then yields 

U)-l 



P(n, 6, cj) 



w — „ 



(79) 



3=0 



where (. . .)k and (. . .)j are averages over k and j, respectively This expression for the 
performance measure P(n, b, u) is the basis of our analytical work. 

Since (1791) is based on the validity of the separation in k and j, both are investigated in 
detail in Sec. IVI Al A random model is used in Sec. IVIBI to evaluate ( I79|) analytically in the 
large-n regime. This yields an analytical explanation for the 6-scaling in ( )66l) and excellent 
agreement with the prefactor of the exponential term in (1661) . In Sec. IVI CI again assuming 
separation in k and j, we then arrive at an analytical formula describing the small-n regime, 
which predicts the functional form and the 6-scaling of flBT|) very well, and also provides an 
estimate of the overall scaling factor. 
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FIG. 7: Relative error A^) of k separation as a function of b for several semiprimes N. The data 
shows that the error is negligible. The fit line A = 2~ 2 - 5fe-5 - 5 (dashed line) shows that the relative 
error vanishes exponentially in b. 

A. Separability 

In this section we investigate in detail the quality of the separations in k and in j, which 
lead to our jump-off point (!79j) for the analytical calculations reported in Sec. IVIBI and 
Sec lVICl 

We start with justifying the separation in k. To this end we define 



3=0 



K-l 

E« 4 

fc=0 



(80) 



and 



w-l 



K-l 
k=0 



K-l 



1 E 

K ^ 



-iip(n,b,s k ,,lj) 



j=0 I k=0 J fc'=0 

2 

3=0 



and compute the relative error 



A (*) 



\AW\ 



(81) 



(82) 



incurred by the k separation. Figure [7] shows A( fc ) function of b for various choices of N. 
We clearly see that k separation is an excellent approximation, which produces negligible, 
exponentially small errors. We plotted the line A = 2~ 2 - 5fe_5 - 5 through the data to guide the 
eye. This line shows that the relative error of k separation vanishes exponentially in b. 
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FIG. 8: Relative error A^ of j separation as a function of b for several semiprimes N. A fit line, 
A = 2 -2 - 5fe ~ L5 (dashed line) is also shown. Compared with k separation (see Fig. [7]) the error 
decays with the same exponent, only the overall scale factor is different. 



Turning now to the j separation, we define 



A U) = B (k) 



and 



B U) 



3 ' 



. 3=0 

and compute the relative error of j separation 



Ul— 1 



-up 



>n. 



6,/, 



(83) 



(84) 



A (i) 



1^0) I 



\A0 



(85) 



Figure [8] shows A^^ as a function of 6 for various choices of N. Apparently, while a bit less 
accurate than k separation, j separation is still highly accurate, improving exponentially 
with b. This is seen from the fit line A = 2~ 2 - 5b-L5 through the data in Fig. [HI which also 
shows that A( fe ) and A^ decay with the same exponential factor in b, and are offset by a 
constant only. 

B. Large-n, exponential regime 

In this section we evaluate (IT§|) analytically in a model in which we treat and lj 
as independent random variables. This model, obviously, cannot capture the correlations 
between Sk and lj introduced by u and yields P(n, b, u) that is independent of u>. Therefore, 
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the oj- average in (165]) is trivial and Pjv(n, fc) does not depend on N either. Therefore, we 
write Pjv(n, 6) — > P(n,b) as the prediction of the random model. However, even in this 
model, where (^-correlations are entirely neglected, it is hard to evaluate the expectation 
value of the exponential. Therefore, we proceed to evaluate (1791 via its moment expansion 

|2, 



(\(e- i *)k\l j = l-[(<p\ j -((<p)l) j ] + 



^\i+\(^ 2 )i) ] -\m k ^) k ) ] 



±..., (86) 



where we used (. . .)kj = ((• • -)k)j — ((• • -)j)k in cases where the averages commute. We start 
by computing 

n— 1 m— 6—1 m'— 6—1 < \ /? / \ 

{S[n-m-l]S[n-m'-l]/k\l[fj,]l'[ t j.'])j 



<^-=- 2 E E E 

m,m'=6+l /j=0 //'=0 



(87) 



where we made use of the assumed independence of s and /. Taking into account that the 
binary digits of s and / can only take the values and 1, we obtain 



1 1 

\S[a]S[/3])k = 77<W + t(1 - <W)> 



(88) 



2 4 

and a similar expression for (i^jZ^'])^. Because of (1881) . the evaluation of the quadruple sum 
( 1H7|) is lengthy, but can be performed analytically. The result is 



-Y 

144/ 



-26 



where 



9x 2 + 21a; - 10 + 9(2 + x)2~ x + 2 



x = n — b — 2. 



-2.C 



(89) 



(90) 



Next, we evaluate {{^>)l)j- With (I8"8"|) and following the same procedures that lead to 
we obtain 



7T 



,-26 



/J \96y 

where x is defined in ( 190]) . We define 



6x 2 + Qx - 4 + 6(1 + a;)2- :c + 2~ 2x ] . 



° 2 = ^ 2 ) k] -mi) 



3 1 



which, on the basis of the results ( 189]) and ( 191]) . is explicitly given by 



7T 



288 



-26 



24x - 8 + 18 x T x - 2 



-2x 



(91) 



(92) 



(93) 



With (I79p and up to second order in the moment expansion (1861) . the performance measure 
is now given by 



P{n, b) w 1 - a 2 



(94) 
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Comparing (19*4"]) with the fit function (166]) and using (190"]) . we see that (1941) . to leading order 
in n, is the first-order expansion of 

P (a \n,b) ~2-^ )n , (95) 

where 

^ [l2 In (2) 

This analytical result recovers the 2 _2fe scaling of the fit line ( 166]) . and is within 10% of the 
exponential prefactor in fl66|) . 

The analytical evaluation of the 4th order terms in (!86|) is technically straightforward, 
but tedious, and not essential at this point. Our numerical calculations show that the 4th 
order terms are approximately given by (<r 2 ) 2 /2, and are therefore very small. This has two 
consequences: (i) it shows that up to 4th order in cp the probability measure P(n, b) for 
fixed b is consistent with exponential decay in n and (ii) that because of their smallness it 
is currently not necessary to evaluate the 4th order terms analytically. 

To conclude this section, we compute 

n— 1 m— b— 1 
m=b+l £t=0 

which is needed in the following section. Using the summation formula for the evaluation 
of geometric sums, we obtain 

(<p) kj = j \2~\n - b - 2) + 2 1 -"] = \p maxi (98) 

where we related (<f)kj to tp max via ( 1541) . 



x 2 



-26 



1.19 x 2 



-26 



(96) 



C. Small-n, non-exponential regime 

Our starting point is again equation ( 1791) . but in this section we focus on the small-n 
regime, i.e. n < n t (b) [see (175|) ]. We first derive some useful relations that can then be used 
to evaluate (1791) approximately in this regime. We start by inspecting (p(n,b,s,l) in (1371) . 
We notice that 

n-6-2 

^n, 6, «, = E [( 2 " S W0 mod 2n ^] • (") 

i=0 
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Since the modulus of the product of two numbers is smaller than or equal to the product of 
the moduli of two numbers, we obtain 

n-b-2 

V ,(n l 6 l a,0<2^ r £ [(2^ H mod2"- b - 1 )(/mod2- fe - 1 )] 

i=0 

T [0 mod 2 n - b ~ 1 ){l mod 2 n ~ b ~ 1 )} , (100) 



7T 



2 

where the equality is obtained by using 



(n-b-2 \ 
£ 2<s w J mod 2"- 6 - 1 = (a mod 2 n ~ f> - 1 ) mod 2"- 6 - 1 = s mod 2 n - 6_1 . (101) 

In order to compensate for the difference between (1991) and (11001) . we introduce an effective 
parameter I in (11001) such that 



<p = -^{s mod 2 n - b ~ 1 )l < ip max , (102) 

where the inequality is obtained from the definition of (p ma x i n f|52p . Since this inequality 
must hold for any s, the inequality ( 11021) implies 

7i2- b l< <p max , (103) 

where we used max(s mod 2 n ~ b ~ 1 ) w 2 n ~ 6 ~ 1 . Assuming the random model used in Sec. IVIBl 
in particular its assumption of statistical independence of s and I, we compute the average 
of flEU) . With (EHD we obtain 

= ^ = ^ mod 2- 6 - 1 ) fc (0 j = |2- 6 (0,. (104) 

Hence, solving for dropping the small term 2~ n in (1541) . we expect 

.-. n — b — 2 . 
* g • (105) 

We note that (Z)j in fl 1 5 j) fulfills (I103p . Next, by writing the order of a seed asw = 2°r [see 
( )62|) ]. and by using the form of an element of an equivalence class [s ] defined in (|Sj), we 
obtain 

s fc mod 2™- 6 - 1 = kr2 a mod 2 n ~ f '- 1 

= (At mod 2 n - a - b - l )2 a 1 (106) 
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where we assumed so = for analytical simplicity. We note that (kr mod 2 n - a ~ b - 1 ) is a 
random integer variable in k for k an integer, which spans the entire integer space < k < 
2 n- a -b-i _ L NoW) we compute using pU21) . and ([TUB]) : 



^Pmax 

in— 6—1^ 



(p(n,b,s k J) it (s k mod 2™ 6 x ) x / 



y? max 2"- 1 27r[2- b - 1 (^-&) -2- b + 2-«] 

[ A;r mod 2 n - Q - fc - 1 



n-b-2 2 n - a - b - 1 
where we again dropped the small 2 _ ™ term. Thus, we write 



(107) 



y(n,M fc> 0« ^7% ^' ( 108 ) 
n — o — 2 

where we used 

fcr mod 2 n ~ a - b - 1 , N 

i? fe = _ 109 

which is a random variable in whose range is [0, 1). 

We are now ready to evaluate (1791) . Inserting (11081) in ( 1791) . we obtain 

P(n,b) = (|(ex P (-^^TT^))^ 2 )- ( 11Q ) 

Assuming that ^ is uniformly distributed in [0, 1), we turn the k average into an integral 
and obtain 



P(n,b) 

where we defined 



2 

V _ 1 

e~ iR -dR 
o V 



>i, (HI) 



Evaluation of (111 ip yields 

P(n, 6) w (-^[I-cosCt?)]),, (113) 
Since 77 defined in ( 11121) is small for n < nt, we Taylor-expand ( 1113}) . which results in 



2 

P(n,b) « ( — 



1-1-^ + ^7 



Inserting 77 defined in (11121) into (11141) . we obtain 



" ! ■ " 4 M), = i_Mi. (1 i4) 



p (n , t)a ,i- 12 ^-rf\, . (us) 
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We compute {l 2 )j in the following way. Computing the average of the square of (I102p . we 
obtain 

= (y)2- 26 (^)„ (H6) 

where we used the assumed independence of s and I of the random model. According to 
( 189]) . and to leading order in x [defined in (190]) ]. we have 

(^) kj * (£)2- 2 V-6-2) 2 . (117) 

Equating f l 11 6 f) and (II 17ft . we obtain 

(P)j = ^(n-6-2) 2 . (118) 

Inserting dl 18[) into f ll 15j) . we obtain 

P(n,b) « 1 - ^ « exp[-^(n,&)/64]. (119) 

Compared with the numerical fit line (JB7J) [in particular equation (169]) ]. this analytical result 
predicts the functional form of the 6-scaling exactly and the overall scaling factor within a 
factor of 2. 



VII. COMPARISON WITH THE WORK OF FOWLER AND HOLLENBERG 



Our work is closely related to the work of Fowler and Hollenberg 15| (in the following 
abbreviated to FH). The purpose of this section is to discuss similarities and differences 
between the two approaches. The notation in 15|] differs from ours. In order to avoid 



confusion, we translate the notation in 



15| into our notation. As argued in 15( and here, 



because of the sensitivity of quantum gates to noise and decoherence, it is important to 
reduce the number of gates and gate operations as much as possible. This provides the 
motivation for studying the performance of Shor's algorithm as a function of bandwidth b 
of the quantum Fourier transform, since a small b results in substantial savings in gates to 
be implemented and gate operations to be executed. Both works conclude that for large n 
the period-finding part of Shor's algorithm scales exponentially in n, P(n, b) ~ 2^ &n , where 
= 72~ 2b and 7 a constant. FH quote 7 = 2; we find 7 = 1.1. Thus, while the research 
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FIG. 9: Average w as a function of N. (a) Scatter plot of (u) defined according to (|120p ; (b) 
double averaged, binned {((*}}) defined according to (|12ip . 

goals are the same, and the central results are similar, there are substantial differences in 
how the research programs are executed, and there are new findings in our work. Among the 
new findings is the existence of a non-exponential regime for small n (see Sec. |VJ), analytical 
results for the non-exponential and exponential regimes (see Sec. IVI| and the existence of a 
provable bound for the maximal possible period u of a given semiprime N (see Appendix IB]) . 



The main difference between 



15j and our work concerns the choice of u in the simula- 



tions. While in our work we simulate the period-finding part of Shor's algorithm for actual 
semiprimes N, and actual, associated uj values, FH use an effective u = 2 + N/2. Thus, 
our calculations are more realistic than those reported in 15[ and check and complement 



the calculations in 



15[ under more realistic conditions. A first comment in this connection 



concerns the choice of FH's effective u value. It was chosen as a good representative of u 
values in Fig. 5 of [15]. However, the u values in this figure extend up to u = N, which 
is more than twice larger than the maximal possible u, which is smaller than N/2 (se e 
Appendix iBl for the proof). Therefore, rather than located in the middle of Fig. 5 of 15], 
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FH's effective to actually lies beyond the allowed range of to. However, this is not expected 
to make any difference in the conclusions of [jjj], since, as shown in Fig. 5 of [3], according 
to the simulations reported in [15], P(n,b) exhibits flat plateaus in to. 

In this connection it may be interesting to present more information on the distribution 
of allowed to values. In Fig. M (a) we show the properly averaged to values, 

a(N) 

(-) = ^vy £ *M»t ( 12 °) 

as a function of N in the form of a scatter plot. The symbols in (I120p have the same 
meaning as explained in connection with (1651) . i.e. (Pe{N) is Euler's totient function, a(N) 
is the number of to values for given N, and v(to) is the multiplicity of to. We see that 
(to) is a sensitive function of iV with a large spread over the entire allowed (to) range, i.e. 
2 < (to) < N/2. To make more sense of the raw (to) data, Fig. [9] (b) shows a binned average 
of the (to) data in Fig. [9] (a) defined as 

X (JV«+250) 

((W))(]VW) = ^W) + 250) - x (iVW - 250) E Ma. 

N® = 500^-^,2 = 1,..., 20, (121) 

where x(^) is the semiprime counting function and is the average u [see (11201) ] asso- 
ciated with the Ath semiprime. Figure M (b) shows that the twice averaged ({to)) are linear 
in N with 

«w» « iV/5. (122) 

Therefore, according to Fig. [9] (b), a representative a; value for a given iV is an allowed to 
value in the vicinity of N/5. 

In contrast to our choice of a single I state representing a Fourier peak, FH choose two I 
states to represent a Fourier peak, one to the left and one to the right of the position of the 
peak's maximum. This choice is more symmetrical than ours, but, because of the uniform 
response of all states under a Fourier peak (see Fig. [2] and the discussion in Sec. HV|) . one 
representative is sufficient. 

FH quote jfh = 2 as a safe estimate, which is about a factor 2 larger than our, more 
optimistic, 7 = 1.1. On the basis of the data in Fig. 6 of [jjj] we computed the actual 
•ypH corresponding to the six panels of FH's Fig. 6, and obtained jfh — 0.5 (6 = 0), 1.85 
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{b = 1), 1.83 {b = 2), 1.79 {b = 3), 1.78 {b = 4), 1.77 {b = 5), 1.73 {b = 6), and 1.57 
(b = 7). Discarding the jfh value for b = (it is not generic, since it involves only H 
and M gates and no rotation gate), and the ^fh values for b = 6 and 6 = 7 (given the 



numerical range of the data, the exponential regime displayed in Fig. 6 of [15] is very short, 
resulting in uncertainty in the decay constant of an exponential fit), the 'Jfh values are well 
characterized by ^fh ~ 1-8, slightly more optimistic than the quoted 'Jfh = 2. What is 
interesting for us is that jfh = 1.8 is already closer to our value of 7 = 1.1. 

Finally, what difference does it make for the performance of a quantum computer if 
7 = 2 or 7 = 1.1? The answer depends on the performance level of the quantum computer. 
Since a factor 2 difference in 7 is the difference between performance and the square of the 
performance, a factor 2 difference in gamma has basically no effect if the quantum computer 
operates with close to 100% performance, but has a large effect, if the quantum computer 
operates, e.g., on the 10% level. 



Because of the critical need for quantum error correction and fault-tolerant operation [28] , 
FH also present an error-tolerant, approximate construction of rotation gates, consisting of 
more fundamental elementary gates. In fact, each single-qubit rotation gate, as written in 
the quantum algorithm, may result in thousands of gates when decomposed. Unlike FH, 
we did not discuss the actual realization of gates, since, in this paper, we focus on the 
algorithmic aspects of Shor's algorithm, in particular on the scaling of the performance with 
n and b. In any case, as shown by FH, the actual experimental realization of fault-tolerant 
gates may require large numbers of additional, ancillary gates and qubits, motivating and 
emphasizing the critical need to reduce required quantum resources as much as possible by 
optimizing the quantum algorithms. 

Given that error correction and fault-tolerant operation may introduce many additional 
auxiliary gates and qubits, what happens to our scaling laws in this case? Since our scaling 
laws depend on two parameters, b and n, the answer has two parts, (i) Error correction will 
not affect the b scaling, since the possibility of reducing the full quantum Fourier transform 
to a narrow-band quantum Fourier transform with bandwidth b is an intrinsic property 
of the mathematical structure of the Fourier transform itself that has nothing to do with 
quantum error correction. In fact, under noisy conditions, it may not even be a good 
idea to increase the bandwidth of the quantum Fourier transform, because the algorithmic 
accuracy of the transform gained might be more than offset by the errors introduced by the 
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additional gates that are now exposed to noise and decoherence. (ii) It is clear that each 
computational qubit in Shor's algorithm has to be protected with quantum circuits that 
consist of additional qubits. However, since the scaling laws derived in this paper refer to 
the number n of computational qubits, our scaling laws remain unchanged. 

Summarizing the discussion in this section, we see our work as complementary to the 
pioneering work of FH, adding new insights, and confirming the major conclusions of FH, 
using an independent approach based on period-finding simulations of actual semiprimes N, 
supported by analytical results. 



VIII. DISCUSSION 



An absolute limit of classical computing is reached when the physical requirements exceed 
the resources of the universe. According to this definition we can safely say that a classical 
computer, no matter its precise architecture, using the best currently available factoring 
algorithms, will never be able to factor a semiprime with 5000 decimal digits or more. We 
see this in the following way. The best currently known algorithm for factoring large, "hard" 
semiprimes (more than ~ 130 decimal digits; no small factors) is the general number field 
sieve (GNFS) [lj]. It was recently used by Kleinjung et al. js] to factor the RSA challenge 
number RSA- 768 (232 decimal digits). This factorization took the equivalence of 2000 years 
on a 2.2 GHz Opteron workstation [8]. The performance of the GNFS scales approximately 
as A 

P{N) ~ exp {l.9[ln(A0] 1/3 [lnln(A0] 2/3 } , (123) 

where N is the semiprime to be factored. If we take the Kleinjung et al. factorization as 
the current, best benchmark, and estimate an Opteron processor to consist of roughly 10 25 
particles, then we can factor a 232-decimal-digit semiprime with 2000 x 12 x 10 25 ~ 2 x 10 29 
particles in the time span of a month. According to (I123j) . then, in order to factor a 5000- 
decimal-digit number in the span of a month we need 

2 x 10 29 x P(10 5000 )/P(10 232 ) « 10 89 (124) 

particles. This exceeds the number of particles in the universe (~ 10 80 ) by several orders 
of magnitude. Clearly, the factorization of a 5000-decimal-digit semiprime is physically im- 
possible to perform within a reasonable time (~ 1 month) on a classical computer. Even 
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if we allow substantial progress in computer development, for instance replacing the cur- 



rent MOSFET transistors 



29] used in computer chips by single-electron transistors 



30| and 

increasing the clock-speed of a processor from 2.2 GHz to the optical regime of ~ 10 15 
Hz, we gain only insignificantly. Therefore, in the absence of a breakthrough in the de- 
sign of classical factoring algorithms, if we want to make any progress in factoring large 
numbers, we need a different computing paradigm. This is provided by switching from 
classical computing to quantum computing, i.e., running Shor's algorithm on a quantum 
computer. Instead of scaling (sub) exponentially, according to ( I123p . Shor's algorithm scales 
~ 0[(ln iV) 2 (lnln iV) (In In In N)} 11] and thus provides an exponential speed-up that allows 
us, in principle, to tackle semiprimes vastly in excess of N = 10 5000 . Obviously, for the 
practical implementation of powerful quantum computers, any optimization of quantum al- 
gorithms is welcome. Addressing this point, our paper shows that replacing the full quantum 
Fourier transform in Shor's algorithm with a narrow-band version incurs only a negligible 
performance penalty. We also show how the performance of such a streamlined version of 
Shor's algorithm scales with the number of qubits n. 

In order to objectively characterize the performance of a quantum computer with n 
qubits, equipped with a banded quantum Fourier transform of bandwidth b, we defined the 
performance measure P(n,b,u) in Sec. IIVI [see ( 122]) ]. This measure was carefully chosen 
to accurately reflect the performance of the quantum computer in terms of the probabil- 
ity of a successful factorization, yet not excessively expensive to compute numerically and, 
most importantly, a convenient starting point for analytical computations. As shown in 
Sees. |V] and IVIl our performance measure fulfills both goals. Although any given peak in 
the quantum Fourier transform contains several I states with significant overlap with the 



Fourier peak, and useful for factorization in classical post-processing |10l . [18], our perfor- 
mance measure defined in (122]) is based only on a single / state, i.e. the state \lj) closest to 
the central maximum of the Fourier peak number j [see ( 120]) ]. This, no doubt, is convenient 
for analytical calculations, as successfully demonstrated in Sec. IVIl and for the following 
reason it is also justified. Numerically investigating the response of the Fourier peaks to 
a reduction of the bandwidth b, we found that the width of the Fourier peaks stays the 
same (about one state) while the height of the Fourier peaks is reduced. Thus, all / states 
under a Fourier peak respond in unison to a change in b (see Fig. [2]), and since the width 
of the Fourier peaks stays the same, the number of significant states in a peak is conserved, 
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too. This means that a single state under the peak, for instance, the state with maximal 
overlap, accurately represents the response of any other state under the peak, in particular 
the states useful for factorization. Thus, summarizing our choice of performance measure, 
we may say that, of course, choosing all those states under a Fourier peak that are useful for 
factorization, would be best. However, this is computationally prohibitively expensive and 
not useful for analytical calculations. A proxy is necessary. Because of the uniform response 
of all states in a Fourier peak, this proxy is provided, e.g., by the state closest to the central 
peak, \lj), and leads directly to our performance measure P(n,b) defined in (|22|) . 

The exponential fit function in (16"6"|) is shifted by 8 units in n. A possible explanation is the 
following, n = 8 corresponds to iV = 15, the smallest odd semiprime. However, for N = 15 
all possible orders oj are powers of 2. Therefore, according to the discussion in Sec. HV] 
Shor's algorithm performs perfectly in this case for all 6. This means that P(n — 8, b, oj) — 1 
for all b, which is true independently of b only if is multiplied with n — 8 in the exponent 
of (ESI). 



The largest RSA challenge number 31] is RSA-2048. It has 2048 binary digits, which 
corresponds to 617 decimal digits. Factoring this number on a quantum computer requires 
a minimum of 4096 qubits. As an illustrative example, let us assume that we factor this 
number on a quantum computer with b = 8. Since no numerical simulation data are available 
in this very-large n regime, we have to rely on our results (166|) and fl67|) to estimate the 
performance of the quantum computer. Which of the two formulas to use depends on which 
regime, exponential or non-exponential, we are in. For 6 = 8, and according to ( 175|) . the 
transition point n t for 6 = 8 occurs at n t = 20. Therefore, since n > n t in this case, we are 
sure that we are not in the non-exponential regime. However, how certain can we be that 
the exponential law (166]) is valid all the way up to n = 4096, when we checked it numerically 
only up to n fh 30 (see Sec. N} 1 

We answer this question in the following way. The moment expansion ( 1861) is certainly 
valid out to n values for which our low-order Taylor expansion of exp(— itp) is valid, i.e., 
for ip < 1. Since ip < ip ma x, the safest estimate for the validity of ( 1661) is n < 2 fe+1 /(27r), 
which is obtained from (|54"|) for n ^> b. For 6 = 8 this implies n < 81. This is already 
deeply in the n regime where current numerical simulations cannot follow. However, we can 
do better than that. The moment expansion (|86|) . together with our numerical observation 
that the 4th order terms are given by (<r 2 ) 2 /2 shows that the relevant expansion parameter 
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of (1561) is not if, but a 2 , which is much smaller than tp 2 max - Therefore, we can safely assume 
exponential decay out to n values for which a 2 < 1. According to f l93|) . then, this yields 
the estimate n < 12 x 2 2b /7T 2 , which amounts to n < 79682 for 6 = 8, much larger than 
n = 4096 required for the factorization of RSA-2048. We conclude that, for 6 = 8, we may 
safely use the exponential law ( 16 6 p to estimate the performance of the quantum computer. 
Therefore, using n = 4096 and 6 = 8 in (|66|) . we obtain P{n,b) = 0.954, i.e. a quantum 
computer with a bandwidth of only 6 = 8 can factor the RSA challenge number RSA-2048 
with a performance of better than 95%. If we increase 6 = 8 by only one unit to 6 = 9, the 
performance increases to 98%. 

Concluding this section, we briefly discuss the paper by Barenco et al. 32], which also 
investigates the effect of the banded quantum Fourier transform on the performance of the 
period-finding part of Shor's algorithm. In fact, their performance measure Q, based on the 
probability of obtaining an |/)-state closest to 2 n /u, is, up to normalization, identical with 
our performance measure. However, the main focus of 32| is the effect of decoherence on Q 
and, similar to the work of Fowler and Hollenberg 15j, Barenco et al. do not use factoring 
of actual semiprimes N in their numerical simulations. Finally, the analytical performance 



estimates in 



32] require 6 > log 2 (n) + 2, which, for 6 = 8, implies n < 64. Therefore, 



for small 6 < 8, the analytical formulas of 32] are not applicable to the performance of a 
quantum computer in the technically and commercially interesting small-6, large-n regime 
with n > 4000. 



IX. SUMMARY AND CONCLUSIONS 



Given that quantum computers are difficult to build, any advance in the optimization of 
quantum algorithms is welcome. Accordingly, in this paper, we investigated the performance 
of Shor's algorithm equipped with a banded quantum Fourier transform. Our predictions 
are based on the following five substantial advances. 

1. Properly cu-averaged numerical simulations of factoring actual semiprimes N for qubit 
numbers ranging from n = 9 to n = 33, yielding the numerical performance estimates 
(|66|) in the large-n regime and ( 167]) in the small-n regime. 

2. Analytical and numerical justification of the separation of the k and j sums in the 
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definition of the performance measure as the foundation of analytical computations of 
the performance measure in the large-n and small-n regimes. It is shown that both 
separations are exponentially accurate, with exponential improvement of accuracy for 
increasing bandwidth b of the quantum Fourier transform. 

3. Analytical computation of the performance measure in the exponential, high-n regime, 
which predicts the 2~ 2b scaling exactly and the prefactor in within 10% of the 
numerical result 



4. Analytical computation of the performance measure in the small-n regime, which 
predicts the functional form of the performance measure accurately and provides a 
reasonable estimate of a single, overall scaling factor. 

5. Analytical formula (!75|) for the cross-over points n t that mark the transition from the 
non-exponential regime to the exponential regime of quantum computer performance. 
For given bandwidth b and number of qubits n, this allows a quick, accurate, and 
convenient decision of whether the resulting finite-bandwidth quantum computer is 
working in the exponential or non-exponential regime. 

In addition, in Appendix |AJ we prove the existence and uniqueness of an order-2 seed for 
any semiprime N, which, in Appendix [Bj is used to prove that the maximal possible order 



u of a seed is less than N/2 (see Figs. |9 
the effective, representative u chosen in 



and ITU]) . The maximally allowed u is smaller than 
151 ] . However, due to the insensitivity of the results 



in |l_5| with respect to the chosen u (see Fig. 5 of (15|), this fact is not expected to change 



the results predicted in |l5|. Lastly, we investigate the statistical properties of an inverse 
factor of u> in Appendix 

In our opinion, and based on the numerical and analytical results presented in this pa- 
per, we conclude that the period-finding part of Shor's algorithm equipped with a banded 
quantum Fourier transform of bandwidth b is now essentially understood. However, period- 
finding is not the most demanding part of Shor's algorithm to implement. This distinction 
is reserved for the /-mapping part of Shor's algorithm (the modular exponentiation part), 
which feeds register // with f(s) values (see Sec. [IT]) and, compared with the period- finding 



part of Shor's algorithm, requires vastly more quantum resources to implement 
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Therefore, attention now has to be directed toward optimizing the /-mapping part of Shor's 



37 



algorithm. 



Appendix A: Existence and Uniqueness of an element of Order 2 

In support of the result that the probability of encountering a seed with a small order 
is small, we provide here a proof that there is one and only one seed x of order 2 for 
any semi-prime N = pq, where p ^ q are primes larger than 2. A seed is any positive 
integer, larger than 1, that is relatively prime to N. Let us collect all possible seeds Xj, 
j — 1, . . . , L — 1, including the unit 1, into a set Gn = {1, X\, x 2 , ■ ■ ■ , This way, G^ 



forms a multiplicative group modulo N 36[ containing L elements. 

The computation of L is straightforward. There are at most N — 1 numbers that are 
relatively prime to N = pq. (By definition, the unit element 1 is relatively prime to N 



271 ]. but N is not.) However, p — 1 of these numbers contain a factor q and q — 1 of 
these numbers contain a factor p, and these numbers are all different. Therefore, there are 
L = (N — 1) — (p— 1) — (q — 1) = N — p — q + 1 group elements. Since N, p, and q are odd, L 
is even. At this point we cite a well-known theorem of elementary algebra that states that 
each group with an even number of elements has at least one element that is different from 



the unit element and is of order two [27J. Applied to our group G^ this means that there 
exists at least one seed x ^ 1 with x 2 = 1 modulo N, i.e. a seed of order 2. 

At this point it is important to observe that if there is a seed x with x 2 mod N = 1, then 
there is a mirror seed z = N — x, which is also of order 2, since z 2 mod TV = (N 2 — 2Nx + x 2 ) 
mod N = x 2 mod N = 1. Therefore, without restriction of generality, we will restrict 
ourselves to the range of seeds smaller than N/2 and prove that there is only one x < N/2 
with x 2 mod N = 1, where N = pq. 

We already proved that there is at least one x with 

x 2 mod N = 1. (Al) 

Without restriction of generality, we can choose this x to be smaller than N/2, since, if it 
is larger than N/2, its mirror will be smaller than N/2. Assume that there exists another 
seed of order 2, y < N/2, with y > x (no restriction of generality) and 



.2 



mod N = 1. (A2) 
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Since x 2 mod N = 1 and y 2 mod N = 1, we have 

(y 2 -x 2 ) modiV= (y-x)(y + a;) mod N = 0. (A3) 

This equation holds if either (i) at least one of the factors is divisible by iV or (ii) {y — x) 
contains p and (y + x) contains q, or vice versa. However, case (i) is impossible: Since both 
x and y are smaller than N/2, (y +x) < N is, therefore, never divisible by N. For the same 
reason (y — x) is divisible by N only if (y — x) =0, which is excluded, since, according to 
assumption, y ^ x. This leaves case (ii). 

Since x 2 mod iV = 1, we have (x — l)(x + 1) mod N = 0. Since (x — 1) < N and 
(x + 1) < N, for any N > 2, neither factor is divisible by N and the product is divisible by 
TV only if (x — 1) is a multiple of p and {x + 1) is a multiple of q. There is no restriction of 
generality here, since which factor of the product is divisible by which factor of N (p or q) 
is merely a matter of properly labeling the factors of N. So, let us write: 

x - 1 = Xp, (A4) 
x + 1 = p,q, (A5) 

where A and p, are positive integers. We observe immediately that A cannot contain a factor 
q, since otherwise (x — 1) would be divisible by N. In the same way we reason that \x cannot 
contain a factor p. We record this observation as 

A mod q^O, (A6) 
\i mod p 7^ 0. (A7) 

We also have y 2 mod N = 1, i.e. (y — l)(y + 1) mod = 0, which now implies two 
possibilities, since in ( 1A4|) and (IA5j) we already chose the naming convention for the two 
factors p and q of N. The two cases are: 

(A) (y — 1) is a multiple of p, (y + 1) is a multiple of q (A8) 

(B) (y — 1) is a multiple of q, (y + 1) is a multiple of p. (A9) 

Let us look at case (A) first. Let us write: 



(y-l) = ap, (A10) 
(y + l) = Pq. (All) 
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In analogy with the reasoning that led us to f ]A6j) and (1A7j) we have 

a mod q + 0, (A12) 
/3 mod p ^ 0. (A13) 

Then, because of x, y < N/2, (IA3I) . and the discussion following flA3j) . we need to prove that 
either (?/ — x) contains a factor p and (y + x) a factor g or vice versa. We write: 

y + x = (y - 1) + (x + 1) = ap + /iq. (A14) 

But since a is not divisible by q [see (1A12|) ] and /i is not divisible by p [see (1A7I) ]. (y + x) is 
neither divisible by p nor by q. Therefore, case (A) leads to a contradiction, which implies 
that according to case (A) a second order-2 seed y ^ x does not exist. 
Let us now look at case (B). Let us write: 

(V - 1) = IQ, (A15) 
(y + l) = vp, (A16) 

where, again, in analogy with the reasoning that led us to (IA6[) and (IA7[) . we have 

7 mod p ^ 0, (A17) 

i/ mod q ^ 0. (A18) 

Then: 

2/ - z = (y - 1) - (a; - 1) = 7<? - Xp, (A19) 

which, because of ( ]A17j) and (1A18j) is neither divisible by p nor by q. Therefore, case (B), 
too, leads to a contradiction. 

As a result, we obtain that the existence of an additional order-2 seed y ^ x, y < N/2 
is impossible. Therefore, x is the unique order-2 seed with x < N/2. This means that for 
any given semi-prime = pq, there are exactly two order-2 seeds, x < N/2 and its mirror 
N -x> N/2. 



Appendix B: Maximal Order 

In connection with Shor's algorithm, for a given semi-prime N, we consider seeds x with 
an even order u = 2Q, where Q > 1 is a positive integer. The purpose of this section is to 
show that the largest possible even u is smaller than N/2. 
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A seed x, 1 < x < N is a positive integer, relatively prime to N = pq, where p ^ q are 
prime numbers larger than 2. As discussed in Appendix |A} the set of seeds x forms a group 
Gn with 

\G N \ = N - p - q - 1 = (p - l)(q - 1) (Bl) 

elements. We note that, according to ( 1B1I) . |GV| is divisible by 4, a fact which will become 
relevant below. If x is relatively prime to N, so is iV — x. Therefore, if a; is a seed, so is 
N — x, which implies (i) a symmetry of seeds with respect to N/2 and (ii) that there is an 
even number of seeds. We use (i) to define a set Gn, consisting of elements x = (x, N — x), 
where x and iV — x are identified. The set Gn forms a group. This is so, since G^ contains 
the unit element 1 = (1, N — 1), the product xy of two elements of G^ is again in Gn, and 
with each x, we also find its inverse in Gn- Because of (i) the group Gn has 

\G N \ = \G N \/2 (B2) 

elements. 

Let us form the set G* N that contains the squares of x modulo N. Since G* N contains the 
unit element 1, and since with each x 2 and y 2 in G* N , the product 

(x 2 )(y 2 ) mod N = (xy) 2 mod N (B3) 

is also in G* N , and since with each x 2 we also find its inverse 

(x 2 )- 1 mod N = (x- 1 ) 2 mod N (B4) 

in G* N , the set G* N is a group. In the same way we form the set G* N from the squares of x 
in Gn- Because of the definition of Gn, identifying x and N — x, and because of 

(N - x) 2 mod N = x 2 mod N, (B5) 

which shows that the squares of x and N — x are identical, the groups G* N and G* N have 
the same number of elements. In addition, as is easily verified, the groups G*pj and G^ are 
isomorphic, which implies that the order of an element in G* N is the same as the order of an 
element in G* N . Let us denote the number of elements in these two groups by 

= \G N \ = M. (B6) 
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FIG. 10: Maximal possible orders u (maximum order) computed and displayed for each N in a 
complete list of semiprimes in the interval < N < 10 5 . Apparently, the maximal possible order 
never exceeds N/2, a fact proved in the text. 

Then, because of ( 1B2j) . and because G* N is a subgroup of Gn, we have that 

M = \G* N \ divides \G N \ = \G N \/2. (B7) 

One possibility is M = \Gn\/2. However, since the group G* N of squares is a subgroup 
of Gat, M = \Gn\/2 is possible only if there are as many squares x 2 in G* N as there are 
elements i in Gjv- However, because of the existence of a non-trivial order-2 element a (see 
Appendix |XJ), this is impossible, since both l 2 = 1 and a 2 = 1, which immediately implies 
M < | |/2. Therefore, the largest possible M that divides \Gn\/2 (an even number) is 
| Gat |/4, which implies 

M < \G N \/4. (B8) 



According to Euler's totient theorem 27| . we have for any x 2 in G* N : 

(x 2 ) M = 1, (B9) 

which implies that the order of any element x 2 in G* N is at most M = \Gn\/4=. Because of 
the isomorphism between G* N and G* N , this implies that the order of any x 2 in G* N is at most 
| Gat |/4. This, finally, implies that the order of any element x in Gat is at most |Gjv|/2, i.e. 

u < \G N \/2 < N/2. (BIO) 

We note that since an essential element of the proof is to consider the group of squares of 



x, the proof indeed applies only to even u. An illustration of fIBlOl) is provided in Fig. [TO], 

42 



0.0001 



5 



10 



15 



20 



25 



30 



35 



40 



n 



FIG. 11: The fraction (-) as a function of n for several semiprimes. The fit line (solid line) is the 
function (±) = 2- ( - n - 8 ^ 2S . 



which shows the maximum even orders of all semiprimes iV ranging up to N = 100000. The 
figure illlustrates (i) that the maximal order is indeed smaller than N/2 and (ii) that the 
maximal order of a given semiprime N is not always close to N/2 but still has to divide the 
group order. Therefore, in addition to the line ~ N/2, we also see the lines corresponding 
to ~ N/4, ~ N/6, etc.. 

Appendix C: 1/r average 

For the analytical formula (169|) . we need the average (=) of 1/r as a function of n, where 
r is defined in (1621) . We computed it in the following way. First, we computed all possible 
orders, Uj, of a given semiprime N with their associated multiplicities, u(ujj). Then, we 
extracted the odd part of the obtained orders, r, as defined in f[6"2~l) . Denoting the odd part 
of a specific order Uj by rj, in analogy with ( 1651) and (11201) . we obtain 



where the symbols in fICll) share the same definition as shown in fl65l) and (I120p . i.e. (Pe(N) 
is Euler's totient function and a(N) is the number of orders for given N. Figure [11] shows 
the computed (-) according to ( 1C1I) as a function of n, the number of qubits needed for 
a reliable determination of the order as described in connection with ( )64"1) . By graphically 




(CI) 
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extracting the n- dependence of (£) using the fit line in Fig. [ITJ we find 

(-> = 2 -(™- 8 )/ 2 - 6 . (C2) 
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